Vulnerability in Budibase Low-Code Platform Exposing REST Secrets
CVE-2026-48152

8.1HIGH

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48152?

In the Budibase low-code platform, prior to version 3.39.0, a security flaw exists that allows users with a Basic app role to exploit inadequately protected GET and PUT routes. These routes lack specific ownership and permission checks, allowing unauthorized access to sensitive REST datasource configurations. Users can manipulate requests to retrieve and alter data, leading to potential exposure of builder-configured REST Authorization secrets. This vulnerability has been addressed in version 3.39.0.

Affected Version(s)

budibase < 3.39.0

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48152 Data

JSON